End-to-end security in an ieee 802.11 communication system

ABSTRACT

A communication network comprises a front-end network communication device arranged to operate as a front-end access point for establishing at least one data connection, such as an IEEE 802.11 data connection, between at least one mobile communications terminal and at least one back-end network communication device, protected end-to-end with an encryption key unknown to said at least one front-end network communication device. The front-end network communication device includes a memory, a controller and a data port and the back-end network communication device includes a memory, a controller and a data port.

TECHNICAL FIELD

This application relates to a method, a system, a network communication device, such as an access point, a master server and a computer-readable medium comprising instructions for improved security in a communication system.

BACKGROUND

There are hundreds of millions of Wi-Fi networks in the world today, serving billions of devices. Many of these networks are installed in consumer homes and business and are there for a reason, they have a primary function. But they are to an increasing degree also used to fulfil a secondary role, e.g. providing mobile data communications services to secondary users e.g. for the purpose of offloading Universal Mobile Telecommunications System (UMTS) or Long Term Evolution (LTE) networks. This gives rise to a security problem steaming from the fact that the networks and access points are often under the physical control of organizations and operators that are not trustworthy in the eyes of secondary users and/or their service providers. The technology disclosed herein solves this problem by protecting the data communication with the standard IEEE 802.11i security mechanism end-to-end, all the way from the device to a location that the user can reasonably consider trusted Security is important in all Wi-Fi networks but requirements vary depending on how the technology is deployed. We make a clear distinction between the following three security requirements.

Restricted access. Access must be restricted so that only authorized users can access the network and its resources.

Data privacy. Once a device is connected to the network it must not be possible for a third party to eavesdrop on the communication between the device and the network.

Data integrity. Once a device is connected to the network it must not be possible for a third party to modify the communication between the device and the network.

In residential or enterprise Wi-Fi networks preventing unauthorized access is usually the focus of attention. Potential threats to data privacy and data integrity on the air interface are handled with IEEE 802.11 mutual authentication and encryption, but not so on the wireline side. It is assumed that anybody with physical access to network elements is prevented through other means (e.g. physical security, company policy, legal agreements and so on) from eavesdropping on or modifying the communication of other users. FIG. 5A shows a schematic view of a prior art corporate WLAN environment.

In an enterprise or residential context this key assumption often holds true, but not so in a carrier context. Access points and backhaul connections are more often than not under the physical control of somebody that cannot effectively be prevented from attempting to eavesdrop on or modify the communication of others. Making this incorrect assumption and deploying equipment designed for enterprise use or similar design practices in a carrier context can lead to severe security problems. FIG. 5B shows a prior art service provider environment which is different because there is no trust between users.

Some vendors in the carrier Wi-Fi space try to mitigate these problems by separately encrypting backhaul connections with IPSec or similar VPN protocols. This however leaves a weak link: clear-text data can still be accessed and modified within the access point itself. FIG. 5C shows a prior art example of how some vendors attempt to patch up security with piecewise VPN tunnels. This adds complexity and reduces scalability of the system while failing to ensure security.

There is thus a need for a secure manner of enabling a secure connection between a mobile communications terminal and a home router. There also exists a need for a system which is enabled to adapt the data traffic in the system.

SUMMARY

It is an object of the teachings of this application to overcome the problems listed above by providing a communication network comprising a front-end network communication device arranged to operate as a front-end access point for establishing at least one data connection, such as an IEEE 802.11 data connection, between at least one mobile communications terminal and at least one back-end network communication device, wherein said front-end network communication device comprises a memory, a controller and a data port and said back-end network communication device comprises a memory, a controller and a data port wherein said front-end network communication device has a primary purpose and said at least one data connections is for a secondary purpose associated with said at least one back-end network communication devices.

The primary purpose is to provide one or more primary users with data communication services, and at least one of said primary users is in physical control of said front-end network communications device, and said front-end network communications device is arranged with access to primary encryption keys necessary for communication with said one or more primary users.

The secondary purpose is to provide one or more secondary user's access to secondary service providers.

The data connection is established end-to-end by said front-end network communications device being configured to receive at least one 802.11 frame from said mobile communications terminal, said IEEE 802.11 frame comprising an information entity, and send a corresponding message to said back-end network communications device, said message comprising said information entity, and/or receive at least one message from said back-end network communications device, said message comprising an information entity, and send a corresponding 802.11 frame to said mobile communications terminal, said IEEE 802.11 comprising said information entity, said front-end network communications device thereby being configured to act as a forwarding relay between said at least one mobile communications terminal and said at least one back-end network communications device and wherein said back-end network communication device is configured for: sending and receiving messages comprising IEEE 802.11 authentication protocol data to and/or from said at least one mobile communications terminal; and authenticating said mobile communication terminal and deriving secondary encryption keys based on said IEEE 802.11 authentication protocol data, wherein said back-end network communication device has access to said secondary encryption keys and said back-end network communication device is configured to keep said secondary encryption keys secret from the front-end network communications device.

It is also an object of the teachings of this application to overcome the problems listed above by providing a method for use in a communication network (400) comprising a front-end network communication device (100A, 200A) arranged to operate as a front-end access point for establishing at least one data connection (430), such as an IEEE 802.11 data connection (430), between at least one mobile communications terminal (420) and at least one back-end network communication device (100B, 200A), wherein said front-end network communication device (100A) comprises a memory (240), a controller (210) and a data port and said back-end network communication device (100B) comprises a memory (240), a controller (210) and a data port wherein said front-end network communication device (100A) has a primary purpose and said at least one data connections (430) is for a secondary purpose associated with said at least one back-end network communication devices (100B), wherein said primary purpose is to provide one or more primary users with data communication services, and at least one of said primary users is in physical control of said front-end network communications device (100A), and said front-end network communications device (100A) is arranged with access to primary encryption keys necessary for communication with said one or more primary users, and wherein said secondary purpose is to provide one or more secondary users access to secondary service providers, and wherein said method comprises establishing said data connection (430) end-to-end by: in the front-end network communications device (100A) receiving at least one 802.11 frame from said mobile communications terminal (420), said IEEE 802.11 frame comprising an information entity, and from the front-end network communications device (100A) sending a corresponding message to said back-end network communications device (100B), said message comprising said information entity, and/or in the front-end network communications device (100A) receiving at least one message from said back-end network communications device (100B), said message comprising an information entity, and from the front-end network communications device (100A) send a corresponding 802.11 frame to said mobile communications terminal (420), said IEEE 802.11 comprising said information entity, said front-end network communications device (100A) thereby being configured to act as a forwarding relay between said at least one mobile communications terminal (420) and said at least one back-end network communications device (100B) and wherein said method further comprising sending and receiving messages comprising IEEE 802.11 authentication protocol data between said back-end network communication device (100B) and said at least one mobile communications terminal (420); and authenticating said mobile communication terminal (420) and deriving secondary encryption keys based on said IEEE 802.11 authentication protocol data, wherein said back-end network communication device (100B) has access to said secondary encryption keys and said back-end network communication device (100B) is configured to keep said secondary encryption keys secret from the front-end network communications device (100A).

It is also an object of the teachings of this application to overcome the problems listed above by providing a computer-readable storage medium encoded with instructions that, when executed on a processor, performs the method according to above.

It is also an object of the teachings of this application to overcome the problems listed above by providing a back-end network communication device (100B, 200A) for use in a communication network (400) according to claim 1, wherein said back-end network communications device (100B) is configured to receive message from said front-end network communications device (100A), said message comprising at least one 802.11 frame from said mobile communications terminal (420), said IEEE 802.11 frame comprising an information entity, and/or send at least one message from said back-end network communications device (100B), said message comprising an information entity, to said front-end network communications device (100A), and sending and receiving messages comprising IEEE 802.11 authentication protocol data to and/or from said at least one mobile communications terminal (420); and authenticating said mobile communication terminal (420) and deriving secondary encryption keys based on said IEEE 802.11 authentication protocol data, wherein said back-end network communication device (100B) has access to said secondary encryption keys and said back-end network communication device (100B) is configured to keep said secondary encryption keys secret from the front-end network communications device (100A).

It is also an object of the teachings of this application to overcome the problems listed above by providing a front-end network communication device (100A, 200A) for use in a communication network (400) according to claim 1, wherein said front-end network communication device (100A) has a primary purpose and said at least one data connections (430) is for a secondary purpose associated with said at least one back-end network communication devices (100B), wherein said primary purpose is to provide one or more primary users with data communication services, and at least one of said primary users is in physical control of said front-end network communications device (100A), and said front-end network communications device (100A) is arranged with access to primary encryption keys necessary for communication with said one or more primary users, and wherein said secondary purpose is to provide one or more secondary users access to secondary service providers, and wherein said data connection (430) is established end-to-end by: said front-end network communications device (100A) being configured to receive at least one 802.11 frame from said mobile communications terminal (420), said IEEE 802.11 frame comprising an information entity, and send a corresponding message to said back-end network communications device (100B), said message comprising said information entity, and/or receive at least one message from said back-end network communications device (100B), said message comprising an information entity, and send a corresponding 802.11 frame to said mobile communications terminal (420), said IEEE 802.11 comprising said information entity, said front-end network communications device (100A) thereby being configured to act as a forwarding relay between said at least one mobile communications terminal (420) and said at least one back-end network communications device (100B) and wherein said sending and receiving message and corresponding 802.11 frame comprising IEEE 802.11 authentication protocol data enabling the back-end network communications device (100B) to authenticate said mobile communication terminal (420) and derive secondary encryption keys based on said IEEE 802.11 authentication protocol data, wherein said front-end network communication device (100A) is arranged to not have access to said secondary encryption keys.

It is also an object of the teachings of this application to overcome the problems listed above by providing a computer-readable storage medium encoded with instructions that, when executed on a processor of a back-end network communications device (100B) causes the back-end network communications device (100B) to perform as the back-end network communications device according to above.

It is also an object of the teachings of this application to overcome the problems listed above by providing a computer-readable storage medium encoded with instructions that, when executed on a processor of a front-end network communications device (100A) causes the front-end network communications device (100A) to perform as the front-end network communications device according to above.

The inventors of the present invention have realized, after inventive and insightful reasoning, that as an untrusted entity may have complete physical and/or electronic access to the Access Point (AP), and may therefore be capable of manipulating both hardware and software of the AP, there exists a real problem in that a mobile communication terminal connecting to the AP cannot be guaranteed data integrity and/or data privacy. These problems are a result of the fact that the AP is actually arranged for a primary purpose or function and the primary user of the AP has complete access to the AP.

Also, the primary function should not be influenced or affected by the AP also executing secondary functions and the AP should remain to be seen as intact from the primary purpose's perspective.

The inventors of the present invention have further realized, after inventive and insightful reasoning, that as if the AP is to authenticate secondary users using a standard IEEE 802.11 security mechanism, such as WPA2 Enterprise with EAP-AKA authentication, then the authentication interface, e.g. a RADIUS connection to an Authentication Authorization and Accounting (AAA) server operatively connected to the Home Location Registry (HLR), is exposed to the primary user. A primary user with malicious intent may misuse this access to set up a rogue access point arranged to use the authentication interface and thereby impersonate a service provider to trick a user to connect to the rogue access point, whereby the user is vulnerable to exploitation by the rogue access point; their devices may in many cases connect automatically to the rouge access point without user intervention and with minimal user notification.

It should be noted that protecting the authentication interface in itself does not solve the problem unless the encryption keys derived during authentication are also protected. Take as an example a Wireless Termination Point (WTP) arranged to communicate with an Access Controller (AC) in a typical enterprise IEEE 802.11 communication system deployed by a service provider. The AC may be installed in a secure location and configured to perform IEEE 802.1X authentication using a RADIUS interface that is only accessible within the protected environment. But since the AC sends the encryption keys derived during authentication to the WTP after authentication, and the WTP may be under the control an attacker, the attacker may be enabled to operate a rouge access point even if the attacker is not provided direct access to the RADIUS authentication interface; the rogue access point can still be arranged to connect to the AC through the compromised WTP, impersonating an authorized WTP and tricking a device to connect. Once the device has authenticated with the AC the AC will send the derived encryption keys necessary for communication with the device to the compromised WTP which may forward them to the rogue access point.

Also note that the security threat posed by the above problem is not geographically limited. The compromised WTP and rogue access point may be operatively connected over the Internet, enabling an attacker to target any device that trusts the service provider anywhere in the world.

The mere realization of these two problems, alone or in combination, requires inventive thinking as the problem(s) have previously been unknown and the establishing of a secure connection has in the prior art been thought of as not being possible. This disbelief in a practical solution has been based to a large extent on not understanding the underlying problems, which the inventors of this technology have realized.

The solution is based on not exposing authentication credentials or interfaces to untrusted parties or allowing any encryption key to be transmitted or stored outside a physically and electronically secure location as is discussed in great detail herein. This is a simple solution to a highly complicated problem in a complex communication network providing a functionality which has been thought of not being possible.

The details regarding these problems will be discussed in greater detail in the detailed description as well as further below in this summary.

The technology disclosed herein in contrast has been designed from the ground up for carrier-grade security. User plane data privacy and data integrity is ensured, even when an attacker is in physical control of both the visited AP and the backhaul connection.

FIG. 5D shows a system or network enabled according to the technology disclosed herein which ensures end-to-end security by extending the IEEE 802.11 security mechanism across the backhaul to a secure location.

One major benefit of the teachings herein is that a strong mutual authentication is enabled and secured as is disclosed below.

Most IEEE 802.11 security protocols ensure strong mutual authentication, i.e. the device is authenticated to the network but the network is also authenticated to the device. This acts as a safeguard against man-in-the-middle attacks in the form of so-called rogue access points.

No chain is however stronger than its weakest link; the authentication mechanism can only ensure that the counterparties have access to the authentication credentials they say they do. Therefore, if the surrounding system exposes the credentials to unauthorized third parties then the authentication is essentially null and void. In a WPA/WPA2 Personal context this means that the passphrase must be protected. In a WPA/WPA2 Enterprise context it means ensuring that no untrusted entity has access to the RADIUS authentication interface

The (software of the) technology disclosed herein goes to great lengths to protect authentication credentials: in the case of WPA/WPA2 Personal the passphrase never leaves the residential gateway or consumer Wi-Fi router and in the case of WPA/WPA2 Enterprise the RADIUS interface only needs to be accessible from the tunnel termination gateway (TTG) which can be physically secured.

In most Wi-Fi systems designed for residential or enterprise use user data is only encrypted over the air, or if it is encrypted over the backhaul connection then the backhaul is protected by a separate encryption tunnel, e.g. IPSec or other VPN. The technology disclosed herein in contrast encrypts the connection end-to-end, all the way from the mobile device to the tunnel termination point (TTP), using the standard IEEE 802.11i AES or TKIP encryption. The encryption keys are derived in the mobile device and at the tunnel termination point (TTP) and are as a rule only available there.

But, every rule has an exception. In order to optimize network traffic flow it is possible to adapt the technology disclosed herein to send the Temporal Key (TK) into the operators network so that Internet-bound traffic can be broken out centrally. For example, if the operator has the capability to remotely update the firmware in the subscriber's home gateway then the subscriber has placed his or her trust in the operator and the privacy and integrity of their communication is protected through other means than purely technical. In this context the Temporal Key (TK) can be transferred from the residential gateway to the operator's network without affecting the nature of the trust relationship between subscriber and operator. On the other hand, the same subscriber can reasonably expect the integrity of their network to be protected even from their operator if they are using a consumer Wi-Fi router. In this case a transfer of the Temporal Key (TK) is not acceptable.

It should be noted that the technology disclosed herein is not an authentication technology; it is a tunneling technology that simply brings raw Wi-Fi radio traffic to where it can be authenticated and decrypted. The security of the technology disclosed herein rests firmly on the tested and proven IEEE 802.11(i) mechanism. There are however some aspects that need careful consideration when employing this mechanism in a different context.

The Internet is much larger than the coverage area of your average Wi-Fi network. Since we expose the IEEE 802.11 stack in the tunnel termination back-end to frames coming in over the network a security defect in this software is much more likely to be exploited and the potential consequences much more severe. We have therefore implemented some security measures intended to harden the IEEE 802.11 subsystem against such attacks.

Firstly, the tunnel termination back-end software will not provide remote access to networks protected with WEP. The technology herein also enables protection against brute force attacks. The tunnel termination back-end will not allow a mobile device to authenticate until it has received an introduction message from the cloud-based matchmaking service. This prevents parallel “port scanning” type attacks. Once the introduction message is received the back-end will only allow the mobile device a certain number of IEEE 802.11i authentication attempts before disconnecting. The back-end may also report such authentication failures to an optional master server, enabling monitoring and detection of potentially compromised and malicious front-ends.

Other features and advantages of the disclosed embodiments will appear from the following detailed disclosure, from the attached dependent claims as well as from the drawings.

Generally, all terms used in the claims are to be interpreted according to their ordinary meaning in the technical field, unless explicitly defined otherwise herein.

All references to “a/an/the [element, device, component, means, step, etc]” are to be interpreted openly as referring to at least one instance of the element, device, component, means, step, etc., unless explicitly stated otherwise. The steps of any method disclosed herein do not have to be performed in the exact order disclosed, unless explicitly stated.

BRIEF DESCRIPTION OF DRAWINGS

The invention will be described in further detail under reference to the accompanying drawings in which:

FIG. 1 shows a schematic view of a network communication device, such as an access point, according to one embodiment of the teachings of this application;

FIG. 2A shows a schematic view of the general structure of a network communication device, such as an access point, according to one embodiment of the teachings of this application;

FIG. 2B shows a schematic view of the general structure of a master server according to one embodiment of the teachings of this application;

FIG. 3 shows a schematic view of a computer-readable medium comprising instructions according to one embodiment of the teachings of this application;

FIG. 4 shows a schematic view of a basic communication system according to one embodiment of the teachings of this application;

FIGS. 5A, B and C each shows a schematic view of a prior art communication system;

FIG. 5D shows a schematic view of a communication system according to one embodiment of the teachings of this application;

FIG. 6 shows a schematic view of a communication system according to one embodiment of the teachings of this application;

FIGS. 7A, 7B, 7C and 7D each shows a schematic view of a communication system according to one embodiment of the teachings of this application;

FIG. 8 shows a schematic view of a communication system according to one embodiment of the teachings of this application;

FIG. 9 shows a schematic view of a communication system according to one embodiment of the teachings of this application;

FIG. 10 shows a time graph of the messages sent between the various entities of a network or system arranged according to one embodiment of the teachings of this application

FIG. 11 shows a schematic view of a communication system according to one embodiment of the teachings of this application;

FIGS. 12A and 12B each shows a schematic view of a communication system according to one embodiment of the teachings of this application; and

FIG. 13 shows a flowchart of a general method according to one embodiment of the teachings of this application.

DETAILED DESCRIPTION

The disclosed embodiments will now be described more fully hereinafter with reference to the accompanying drawings, in which certain embodiments of the invention are shown. This invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided by way of example so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art. Like numbers refer to like elements throughout.

More details on the underlying technology for communication systems such as disclosed herein are to be found in the two international patent applications referenced by WO 2010/0145882 and PCT/EP2011/070586. The terminology of the two applications differs somewhat from the terminology of this application. The master server of the two applications is referred to herein as a master server or matchmaking service. An access point of the two applications is referred to herein as an access point or a radio front-end. A service provider server of the two applications is referred to herein as a tunnel termination back-end. The two international applications are incorporated herein by reference and a reader is invited to study either of the two international applications for further details on how to implement a general communication system as disclosed herein.

FIG. 1 shows a network communication apparatus 100 according to an embodiment herein. In one embodiment the network communication apparatus 100 is configured for network communication, wireless and/or wired. In one embodiment the network communication apparatus 100 is configured for network communication, both wireless and wired. In one embodiment the network communication apparatus 100 functions as an access point (AP). Examples of such a network communication apparatus 100 are a router and a bridge.

With reference to FIG. 4, the back-end network communications device 100B may be implemented as, for example, a rackmount network element, a network server or network appliance acting as a tunnel termination back-end.

The network communication apparatus 100 will hereafter be exemplified and described as being a router 100. The router 100 comprises a housing 110 comprising a controller or CPU (not shown) and one or more computer-readable storage mediums (not shown), such as storage units and internal memory. Examples of storage units are disk drives or hard drives. The router 100 further comprises at least one data port 120. Data ports can be wired and/or wireless. An example of a wired data port is an Ethernet port 120 a. An example of a wireless data port is a radio frequency based data port 120 b based on the IEEE 802.11 standard, that is, a Wi-Fi port. Data ports are configured to enable a terminal 100 to connect with other routers or a server. They are also configured for enabling the router 100 to communicate with one or more mobile communications terminals such as a mobile phone, a computer tablet or a laptop computer. In one embodiment the mobile communications terminal is Wi-Fi enabled. The router 100 may also comprise at least one input unit such as a button 130. Such a button 130 may for example be used to reset the router 100.

FIG. 2A shows a schematic view of the general structure of a router according to FIG. 1. The router 200A comprises a controller 210 which is responsible for the overall operation of the router 200A and is preferably implemented by any commercially available CPU (“Central Processing Unit”), DSP (“Digital Signal Processor”) or any other electronic programmable logic device. The controller 210 may be implemented using instructions that enable hardware functionality, for example, by using executable computer program instructions in a general-purpose or special-purpose processor that may be stored on a computer-readable storage medium (disk, memory etc) 240 to be executed by such a processor. The controller 210 is configured to read instructions from the memory 240 and execute these instructions to control the operation of the router 200A. The memory 240 may be implemented using any commonly known technology for computer-readable memories such as ROM, RAM, SRAM, DRAM, CMOS, FLASH, DDR, EEPROM memory, flash memory, hard drive, optical storage or any combination thereof. The memory 240 is used for various purposes by the controller 210, one of them being for storing application data and program instructions for various software modules in the terminal 200A.

The router 200A may comprise a wired interface 220, which is adapted to allow the terminal to communicate with other devices such a server for a service provider. Examples of such wired technologies are USB, Ethernet, Local Area Network, TCP/IP (Transport Control Protocol/Internet Protocol) to name a few.

The router 200A further comprises a radio frequency interface 230, which is adapted to allow the terminal to communicate with other devices through a radio frequency band through the use of different radio frequency technologies. Examples of such technologies are Wi-Fi, Bluetooth®, W-CDMA, GSM, UTRAN, LTE, and NMT to name a few. It should be noted that for the purpose of this application the evolving communication standard commonly referred to as White-Fi is considered to be equivalent to the Wi-Fi in its operation and the teachings offered herein in relation to Wi-Fi and the IEEE 802.11 standard also extend to the White-Fi standard.

In order for the router 100 to function as a radio front-end the RF interface 230 should have a Wi-Fi chipset should have a software defined IEEE 802.11 Media Access Control (MAC) layer and support for multiple BSSIDs. The Wi-Fi driver should also support a low level interface so that the technology disclosed herein can send and receive raw encrypted IEEE 802.11 frames.

FIG. 2B shows a schematic view of the general structure of a master server 200B. The master server 200B comprises a controller 210 which is responsible for the overall operation of the master server 200B and is preferably implemented by any commercially available CPU (“Central Processing Unit”), DSP (“Digital Signal Processor”) or any other electronic programmable logic device. The controller 210 may be implemented using instructions that enable hardware functionality, for example, by using executable computer program instructions in a general-purpose or special-purpose processor that may be stored on a computer-readable storage medium (disk, memory etc) 240 to be executed by such a processor. The controller 210 is configured to read instructions from the memory 240 and execute these instructions to control the operation of the master server 200B. The memory 240 may be implemented using any commonly known technology for computer-readable memories such as ROM, RAM, SRAM, DRAM, CMOS, FLASH, DDR, EEPROM memory, flash memory, hard drive, optical storage or any combination thereof. The memory 240 is used for various purposes by the controller 210, one of them being for storing application data and program instructions for various software modules in the terminal 200A.

The master server 200B comprises a wired interface 220, which is adapted to allow the terminal to communicate with other devices such a server for a service provider. Examples of such wired technologies are USB, Ethernet, Local Area Network, TCP/IP (Transport Control Protocol/Internet Protocol) to name a few.

The master server 200B may further comprise an interface 230 which is adapted to allow the terminal to communicate with other devices, such as network communication devices and other master servers or other network devices or other communication networks, through a radio frequency band through the use of different radio frequency technologies. Examples of such technologies are Wi-Fi, Bluetooth®, W-CDMA, GSM, UTRAN, LTE, and NMT to name a few.

FIG. 3 shows a schematic view of a computer-readable medium as described in the above. The computer-readable medium 30 is in this embodiment a data disc 30. In one embodiment the data disc 30 is a magnetic data storage disc. The data disc 30 is configured to carry instructions 31 that when loaded into a controller, such as a processor, executes a method or procedure according to the embodiments disclosed above. The data disc 30 is arranged to be connected to or within and read by a reading device 32, for loading the instructions into the controller. One such example of a reading device 32 in combination with one (or several) data disc(s) 30 is a hard drive. It should be noted that the computer-readable medium can also be other mediums such as compact discs, digital video discs, flash memories or other memory technologies commonly used.

The instructions 31 may also be downloaded to a computer data reading device 100, such as a router as the router 100 of FIG. 1 or other device capable of reading computer coded data on a computer-readable medium such as a computer, by comprising the instructions 31 in a computer-readable signal 33 which is transmitted via a wireless (or wired) interface (for example via the Internet) to the computer data reading device 100 for loading the instructions 31 into a controller (not shown explicitly in FIG. 3, but referenced 210 in FIG. 2). In such an embodiment the computer-readable signal 33 is one type of a computer-readable medium 30.

The instructions may be stored in a memory (not shown explicitly in FIG. 3, but referenced 240 in FIG. 2) of the router 100. The instructions may be contained in software modules or firmware modules.

In this manner the router 100 may be updated with new instructions and enabled for an updated operation. Both the software and/or the firmware may thus be updated remotely.

References to computer program, instructions, code etc. should be understood to encompass software for a programmable processor or firmware such as, for example, the programmable content of a hardware device whether instructions for a processor, or configuration settings for a fixed-function device, gate array or programmable logic device etc.

FIG. 4 shows a schematic overview of a basic communication system or network according to the teachings herein. The terms network and system will be used interchangeably herein. A front-end router 100A acting as an access point (AP) is connected via the internet to a master server 410, possibly via a wired interface indicated by the line going through the INTERNET cloud. A back-end router 100B acting as a home- or back-end access point is also connected to the master server 410. The front-end access point 100A may be connected to a mobile communications terminal also referred to herein as a mobile device 420, such as a smartphone, a computer tablet or a laptop computer. Preferably the mobile communications terminal is Wi-Fi enabled. The master server 410 acts as a matchmaking server for enabling a data tunnel 430 to be established between the front-end access point 100A and the back-end access point 100B. Note however that the data tunnel 430 may also connect the front-end access point 100A to a termination gateway (TTG) as illustrated in FIG. 9. The functions of a system such as the system of FIG. 4 will now be described in greater detail.

To enable a router 100 for operation as a front-end 100A according to the technology herein public access point vendors only need to integrate the radio front-end software.

To enable a router 100 for operation as a back-end 100B according to the technology herein residential gateway vendors should integrate both the radio front-end and the tunnel termination back-end software.

To enable a consumer Wi-Fi router 100 for operation according to the technology herein router vendors should integrate both the radio front-end and the tunnel termination back-end software.

A tunnel termination gateway, as the name implies, should only support tunnel termination back-end functionality. The configuration interface needs to allow adjustment of the standard Wi-Fi network settings, e.g. SSID, security mechanism, encryption algorithms and RADIUS servers. The interface should also allow the operator to specify an Account that the resulting Service should be associated with.

It should be noted that the embodiments relating to a communications network as disclosed with reference to FIGS. 4, 5D, and 6 to 12 are only for exemplifying and illustrative purposes. The technology herein may also be implemented on a system comprising only a front-end network communications device 100A and a back-end network communications device 100B. The data connection 430 in such a system 400 may be established in a multitude of ways. Some examples are given below. The master server 410 is thus optional which is indicated in FIG. 4 by the dashed line box surrounding the master server 410. Of course a communication system even when not relying on a master server may include a plurality of front-end network communications devices 100A as well as or alternatively a plurality of back-end network communications devices 100B.

One example of how to establish a data connection, over which 802.11 encrypted data can be transferred, without a master server is to store the Fully Qualified Domain Name (FQDN) of the back-end network communications device 100B in the memory 240 of a router 210 when manufactured. Said router can resolve the IP address associated with the FQDN using DNS and function as a front-end network communications device 100A by independently connecting to said back-end network communications device 100B. The FQDN can also be stored in the memory of the router 210 after it has been deployed using a remote configuration protocol such as TR-069 or SNMP. The FQDN of a plurality of front-end network communications devices 100A may similarly be stored in the memory of a tunnel termination gateway

In such a system, as exemplified in FIG. 4, the master server 410 is optional as indicated by the dashed box around the master server 410.

The terminology used herein denotes encryption keys to include any encryption key involved in the IEEE802.11 handshake process. And the key derivation to include any derivation of an encryption key involved in an IEEE 802.11 security mechanism.

The 802.11 authentication protocol data is meant to include any authentication protocol data involved in an IEEE 802.11 authentication.

In one embodiment the IEEE 802.11 stack is partitioned into three parts: a radio front-end, such as the front-end access point 100 of FIGS. 1 and 100A of FIG. 4, that handles the low level real-time aspects of the protocol, a tunnel termination back-end, such as the back-end AP 100B of FIG. 4, that implements the higher layers of the stack and a cloud-based matchmaking service, such as the master server 410 of FIG. 4, that connects front-ends and back-ends on demand. This architecture makes it possible to dynamically assemble complete Wi-Fi stacks which provide exactly the network each mobile device is looking for on demand. FIG. 6 shows a schematic view of a communication system arranged to implement the technology. The system disclosed in an architecture overview. A control panel or REST web service interface allows operators, hardware vendors and other stakeholders to control which front-ends and back-ends are connected and what happens after a device connects. Two access points 100A and 100B are shown in FIG. 6 with an enlarged view of their functional components. The Home AP 100B has a software component, referred to as SW COMP in the figures, implementing tunnel termination back-end functionality. The front-end AP 100A has a software component, referred to as SW COMP in the figures, implementing radio front-end functionality. The software components are arranged to communicate with a master server also referred to herein as a matchmaking service 410

The radio front-end 100A, such as the AP 100A of FIG. 4, has at least two main responsibilities: constantly monitoring the radio environment to detect when a mobile device comes within range and, when so instructed by the cloud-based matchmaking service, serving as a Wireless Termination Point (WTP) for its preferred networks. Details on the monitoring and the how and when to control the AP 104 to serve as a WTP are disclosed in the incorporated application WO 2010/145882.

The radio front-end 100A handles the low level real-time critical aspects of the IEEE 802.11 protocol, e.g. sending acknowledgement frames and transmitting periodic beacons. The higher level MLME (Media Access Control (MAC) Sublayer Management Entity) and data frames are instead encapsulated in UDP/IP (User Datagram Protocol/Internet Protocol) datagrams and forwarded to the relevant tunnel termination back-end 100B. In this sense the front-end functions as a “dumb” radio; it simply forwards (often encrypted) IEEE 802.11 radio frames between its wired network interface and the Wi-Fi radio.

Adding radio front-end functionality to a public access point or residential gateway may be achieved through a remote firmware or software update as has been disclosed in relation to FIG. 3. The radio front-end software can of course also be factory installed e.g. in consumer Wi-Fi routers.

A tunnel termination back-end 100B functions almost exactly like a Wi-Fi access point, with one important difference: instead of sending and receiving IEEE 802.11 frames over a local radio it sends and receives them on its wired network interface, encapsulated in UDP/IP datagrams. The IEEE 802.11 frames may be sent through a data tunnel 430 as disclosed in relation to FIG. 4, the Tunnel Termination Gateway 430 of FIG. 6 being one example of such a tunnel.

The back-end 100B performs all the higher level functions of the IEEE 802.11 stack including authentication and encryption. This architecture is essential for ensuring the security model according to technology disclosed herein.

The tunnel termination software according to the technology disclosed herein can be deployed in a residential gateway as a remote firmware or software update or pre-installed in consumer Wi-Fi routers. Once the software or firmware is installed it will allow mobile devices and other mobile communications terminals to connect to the local Wi-Fi network remotely, through any radio front-end. The software can also be integrated in special purpose tunnel termination gateways.

The cloud-based matchmaking service or server 410 coordinates radio front-ends 100A and tunnel termination back-ends 100B and connects them to form complete IEEE 802.11 stacks on demand. More details on how such a stack is formed can be found in the incorporated applications, namely WO 2010/0145882 and PCT/EP2011/070586.

It communicates with front-ends 100A and back-ends 100B with a lightweight UDP/IP based protocol in many ways similar to DNS (Domain Name System).

As can be seen in FIG. 6 a matchmaking or master server 410 may be arranged to handle a plurality of front-ends 100A all being connected to a plurality of back-ends 100B, which in turn may be connected to a plurality of front-ends, each connection having a data tunnel 430. Which radio front-end 100A is connected to which tunnel termination back-end 100B is governed by so-called Bindings. Bindings can be created and manipulated through the control panel or REST Web Service Interface to the monetization and exchange platform.

In an example an explanation of the operation of the system will be given by a step-by-step description of a complete use-case which will show how the parts fit together.

For the purposes of this walkthrough imagine you are a fixed-line broadband subscriber and your ISP (Internet Service Provider) has provided you with a Wi-Fi equipped residential gateway containing and configured to operate according to the technology disclosed herein.

FIG. 7A shows an example of a back-end 100B according to one embodiment of the teachings herein, also referred to as a residential gateway (Residential GW). When a residential gateway arranged with the technology disclosed herein boots up it sends a registration message (Register UUID, Beacon) to the cloud-based matchmaking service.

When the user's residential gateway starts up the embedded tunnel termination back-end software will send a registration message to the cloud-based matchmaking service containing a UUID identifying the user's home Wi-Fi network and a template that can be used to generate an IEEE 802.11 beacon frame for this network. If this is the first time the matchmaking service receives a registration message from the user's gateway it will create a Service instance to represent the user's network. It will also store the beacon template and make note of the source IP address and UDP port number of the registration message.

In one use case the first time a new device, such as a mobile communications terminal 420, is connected to the residential gateway a Bind message containing the MAC address of the device is sent to the cloud-based matchmaking service. More details are disclosed in the published and incorporated application PCT/EP2011/070586.

When a user connects a new device 420 to his home Wi-Fi network through his residential gateway 100B for the first time the tunnel termination back-end software will send another message, a Bind message, to the cloud-based matchmaking service, this time containing the MAC address of your device and the UUID identifying your home Wi-Fi network. See FIG. 7B.

The matchmaking service uses this information to create a new Client representing the user's device and a Binding encoding the user's device's preference for the user's home Wi-Fi network. The front-end 100A sends a Match message containing the MAC address of the front-end 100A. The matchmaking service 410 introduces the front-end 100A to a back-end 100B with an introduction message, containing an IP address and a port. A response message is then sent to the front-end 100A to enable a data tunnel to be established. See FIG. 7C.

When a probe request originating from that MAC address is detected elsewhere in the network the cloud-based matchmaking service will introduce the radio front-end 100A to the relevant tunnel termination back-end 100B.

Now whenever a user comes close to a radio front-end 100A, be it a public access point, residential gateway or consumer Wi-Fi router, his mobile device will automatically connect to the user's home Wi-Fi exactly as if he was at home. To accomplish this feat the radio front-end 100A must connect to the tunnel termination back-end 100B in the user's home gateway to form a complete IEEE 802.11 stack, and the resulting Wi-Fi network must from the user's device's point of view be indistinguishable from his regular home Wi-Fi. Due to the inventive reasoning made by the inventors this can be performed in a fast and efficient manner, and so quickly that the device doesn't even notice.

Once the introduction has been made encrypted Wi-Fi over IP traffic flows directly between the client device 420 and the tunnel termination back-end 100B, using the radio front-end 100A as the wireless termination point. See FIG. 7D.

The control plane (see FIG. 6) connects radio front-ends 100A and tunnel termination back-ends 100B to the cloud-based matchmaking service 410 through a light-weight UDP/IP protocol, in many ways similar to DNS. It is used to coordinate front-ends and back-ends to form complete Wi-Fi stacks on demand.

The embodiment(s) disclosed herein and associated protocols have been carefully designed to only allocate resources when they are actually needed. It will then set up a beacon and answer probe requests based on the beacon template provided by the matchmaking service.

At this point the Wi-Fi over IP tunnel to the tunnel termination back-end is not yet established—tunnel setup is deferred until the device attempts to associate with the Wi-Fi network. Resource de-allocation follows a similar early release scheme.

This just-in-time resource allocation scheme ensures that tunnel termination back-end load scales with the number of mobile devices served, and not with the number of radio front-ends 100A in the network. This is of course an essential requirement for the monetization and exchange platform since this open marketplace lets every radio front-end in the world stand ready to provide access to each and every tunnel termination back-end 100B.

When a mobile device re-associates to the network the matchmaking service 410 will introduce the radio front-end 100A to a tunnel termination back-end 100B running on another tunnel termination gateway 430. The end result is a glitch in connectivity that lasts less than a minute and only affects the STAs that were served by the failing tunnel termination gateway. A STA is a terminology commonly used in the IEEE802.11 standard and is used in this context to describe a station such as a mobile communications terminal.

NAT (Network Address Translation) traversal may be used as part of the design. Both the radio front-end software and the tunnel termination back-end software can be deployed behind NAT with so-called cone properties.

A user data plane connects a radio front-end 100A to a tunnel termination back-end 100B through a Wi-Fi over IP tunnel 430. Wi-Fi over IP relates to a specific implementation: IEEE 802.11 frames coming in on the radio are encapsulated in a thin UDP/IP header and sent out over a network backhaul (not shown explicitly, but well-known to a skilled person). In the opposite direction UDP/IP packets coming in over the backhaul connection carry IEEE 802.11 frames ready to be sent out over the radio interface. FIG. 8 shows a schematic view of the user data plane.

When the tunnel termination software runs on a residential gateway or consumer Wi-Fi router the standard IEEE 802.11i 4-way handshake goes all the way from the mobile device to the user's home, where the device is authenticated using the passphrase stored in the tunnel termination point (TTP). Since this passphrase was entered into the device (or transferred to the device using Wi-Fi Protected Setup) when it was first connected to the Wi-Fi network no user interaction is necessary for authentication, not even the first time a device connects through a Wi-Fi over IP tunnel, ensuring what we refer to as ZERO sign-on, which name indicates one of the benefits of this embodiment. Also, since the passphrase is only available in the mobile device and at the tunnel termination point (TTP) the mutual authentication property of the WPA-PSK security mechanism ensures that the end-user is in fact connected to their own network, and not to a rogue access point. This is an important benefit of this technology and also a solution to the problems as discussed in relation to the background prior art, see FIG. 8.

When the tunnel termination software runs on a tunnel termination gateway the standard WPA/WPA2 4-way handshake goes all the way from the mobile device to the tunnel termination gateway where the IEEE 802.1X authenticator can verify the identity of the subscriber using an EAP based security mechanism. This mechanism can be EAP-SIM, EAP-AKA, EAP-AKA′ or any other mechanism supported by the AAA-server. Note that with this architecture the RADIUS interface is only used to connect the tunnel termination gateway to the AAA-server within a trusted network environment. This combined with the mutual authentication property of the security mechanism ensures that the end-user is in fact connected to their operator's network, and not to a rogue access point. This is an important benefit of this technology and also a solution to the problems as discussed in relation to the background prior art, see FIG. 9.

FIG. 10 shows a time graph of the messages sent between the various entities of a network or system arranged according to the teachings and the technology herein and gives an illustration of the association and authentication process. Note that the technology disclosed herein does not in any way alter this process; it merely tunnels the Wi-Fi frames over UDP/IP.

Since the 4-way handshake runs all the way from the mobile device to the tunnel termination back-end the encryption keys are also derived only in these two places. This architecture ensures user data integrity and data confidentiality end-to-end, all the way from the mobile device to the tunnel termination back-end thereby providing an improved security. FIG. 13 shows a flowchart for a general method according to the teachings herein. The method is for use in a communication network 400, such as above, comprising a front-end network communication device 100A arranged to operate as a front-end access point for establishing at least one data connection 430, such as an IEEE 802.11 data connection 430, between at least one mobile communications terminal 420 and at least one back-end network communication device 100B. The front-end network communication device 100A has a primary purpose and said at least one data connections 430 is for a secondary purpose associated with said at least one back-end network communication devices 100B. The wherein said primary purpose is to provide one or more primary users with data communication services, and at least one of said primary users is in physical control of said front-end network communications device 100A, and said front-end network communications device 100A is arranged with access to primary encryption keys necessary for communication with said one or more primary users. The secondary purpose is to provide one or more secondary users' access to secondary service providers. The data connection 430 is established end-to-end by the front-end network communications device 100A receiving at least one 802.11 frame from said mobile communications terminal 420, said IEEE 802.11 frame comprising an information entity, and sending a corresponding message to said back-end network communications device 100B, said message comprising said information entity, and/or receiving at least one message from said back-end network communications device 100B, said message comprising an information entity, and send a corresponding 802.11 frame to said mobile communications terminal 420, said IEEE 802.11 comprising said information entity. The front-end network communications device 100A is thus configured to act 1310 as a forwarding relay between said at least one mobile communications terminal 420 and said at least one back-end network communications device 100B. The back-end network communication device 100B sends and receives 1320 messages comprising IEEE 802.11 authentication protocol data to and/or from said at least one mobile communications terminal 420. The back-end network communications device 100B authenticates 1330 said mobile communication terminal 420 and derives 1340 secondary encryption keys based on said IEEE 802.11 authentication protocol data: The back-end network communication device 100B has access to said secondary encryption keys and keeps 1350 said secondary encryption keys secret from the front-end network communications device 100A.

Handover from WTP to WTP is handled through the standard IEEE 802.11 mechanism, i.e. the mobile device periodically scans for new access points.

The technology disclosed herein architecture where mobile data is always tunneled through a tunnel termination back-end aligns perfectly with the standard IEEE 802.11 mobility mechanism. Layer 2 connectivity is preserved during handover and Layer 3 connections are therefore unaffected. Since the IEEE 802.1X authenticator runs in the tunnel termination back-end the implementation of key caching and fast handover is greatly facilitated.

When a Wi-Fi over IP tunnel is terminated in on broadband subscriber's premises data needs to traverse the subscriber's home broadband connection twice. The reason is that the cryptographic key needed to encrypt and decrypt IEEE 802.11 frames to and from a mobile device is only available in the back-end portion of the IEEE 802.11 stack in the subscribers own residential gateway or Wi-Fi router. This has strong benefits from a security point of view but may have some drawbacks from a traffic engineering perspective.

FIG. 11 shows a schematic view of a network or system according to the teachings herein arranged to operate according to the technology herein. In a basic configuration the Temporal Key (TK) is normally only available in the client device and the tunnel termination back-end.

With most access network technologies this roundtrip to the subscriber's premises is all things considered acceptable, but there may be cases where the incentives to avoid the roundtrip are significant. For example, digital subscriber line technologies (xDSL) may constrain throughput in the uplink to less than 1 Mbps and since encrypted IEEE 802.11 frames destined for a mobile device will need to traverse the uplink this will limit the downstream throughput. Perhaps even more pressingly, in DOCSIS based access networks the total aggregate uplink capacity of a cable plant can be relatively low, and increasing this uplink capacity is already a major cost burden for operators.

This problem is solved by relaxing the security model in a careful and controlled manner. A novel network element, the Optimizer, is inserted in the communication path between the radio front-end and tunnel termination back-end. The Temporal Key (TK) used to encrypt and decrypt Unicast IEEE 802.11 data frames to and from the mobile device can then be transferred to the Optimizer and Internet-bound traffic can be broken out there.

FIG. 12A shows a schematic view of a network or system according to the teachings herein arranged to operate in an extended version of the technology herein. An optimizer 440 is inserted into the communication path and the Temporal Key (TK) is transferred to this network element. This requires that the Optimizer and the key transfer mechanism can be considered trustworthy from the tunnel termination back-end's point of view. While this cannot be assumed in the general case there are some relevant special cases where this requirement can be met. This has been realized and the special cases have been identified by the inventors and will be described below.

Consider for instance the case where a DOCSIS operator has integrated the technology disclosed herein in cable modems and is operating its own matchmaking service. The end-subscriber can be assumed to trust the operator since the residential gateway firmware is operator managed. It would therefore be acceptable for the tunnel termination back-end software in the residential gateway to transfer the Temporal Key (TK) to the operator controlled matchmaking service. The key can then be further transferred to the Optimizer which is also under the operator's control.

FIG. 12B shows a schematic view of a network or system according to the teachings herein arranged to operate in an extended version of the technology herein where the optimizer 440 has access to the Temporal Key (TK) and the optimizer can break out Internet-bound traffic, thereby avoiding the roundtrip to the subscriber's home.

The optimizer 440 can also be used in a mobile Wi-Fi offload scenario to selectively terminate some of the mobile traffic in the fixed-line network edge while terminating other traffic in the mobile core. The optimizer 440 is then integrated in the fixed-line network edge while the tunnel termination back-end is implemented in a tunnel termination gateway installed in the mobile core.

The tunnel termination back-end portion of an embodiment disclosed herein implements a number of mechanisms that can be used to create advanced mobile Wi-Fi services. These are briefly outlined here.

The technology herein has been devised to protect the primary function of the residential gateway, i.e the fixed-line subscriber's use of the connection. A radio front-end software component according to the technology disclosed herein carefully monitors the fixed-line subscriber's use of both backhaul and radio resources. When there is a risk that a mobile user may in any way impact the primary function the mobile user will be throttled, both in the downstream and upstream direction, to prevent such impact.

The normal home Wi-Fi user experience is well-known to a skilled person. The technology disclosed herein lets an operator provide that exact same user experience outside the home, whenever the subscriber is close to any one of the operator's residential gateways. The user experience is exactly like at home; open a laptop or take the key lock off a phone and it will automatically connect. Note that there is no software to install on the device, no manual registration process and no username or password to remember. Yet the connection is completely secure, protected end-to-end with the standard WPA/WPA2 Personal security mechanism.

A number of benefits follow from utilizing the technology herein and translate into a superior user experience, as well as a scalable and economical solution for the operator.

No client-side software—the subscriber does not need to install any additional software on their device, or anywhere else.

Strong mutual authentication—the device is of course authenticated to the network, but the network is also authenticated to the device. The subscriber can be sure that they are in fact connected to their own home Wi-Fi network (through a Wi-Fi over IP tunnel) and not to a rogue access point.

End-to-end encryption—the Wi-Fi encryption protects the communication end-to-end, all the way from the device to the subscriber's own residential gateway. Even if an attacker is in physical control of the local access point (which is usually another subscriber's residential gateway) they cannot eavesdrop on or modify the communication. The IEEE 802.11i encryption protects the data plane end-to-end, all the way from the mobile device to the tunnel termination gateway (TTG). Data integrity and confidentiality is ensured in the transport layer and even physically insecure access points such as residential gateways can be integrated into the mobile core as a “trusted non-3GPP access” (3GPP TS 33.402). The subscriber will notice a seamless user experience on more devices (since no I-WLAN or similar client software is necessary) and improved battery life (since encryption and decryption on the mobile device is done in dedicated hardware as part of the Wi-Fi chipset).

Full mobility with fast handover—since Wi-Fi over IP tunnels are always terminated at the same place devices stay connected to the same Layer 2 network when roaming from one visited gateway to another. This means that handovers are completely seamless and that traffic traceability and other regulatory requirements are met. It also means that encryption keys derived using EAP-SIM or AKA can be cached in one secure place and reused, ensuring fast handover and reduced load on the operator's authentication infrastructure.

Infinite scalability—the Wi-Fi over IP tunnels are peer-to-peer and neither data nor signaling traffic passes through any central location. In effect you are leveraging an immense distributed system to handle tunnel termination and authentication; all the CPUs in your entire installed base of residential gateways. Also, access points do not connect to the tunnel termination gateway (TTG) until a mobile device is ready to use the service. The architecture therefore scales with the number of mobile devices, and not with the number of access points. Load balancing between tunnel termination gateways ensures scalability up to hundreds of millions of mobile devices and the REST Web Service Interface can be leveraged to select for offload only those devices that will benefit the most.

Many consumer Wi-Fi routers and most corporate WLAN systems come with a guest access solution, usually implemented as an insecure open network with a separate SSID. The technology disclosed herein makes it possible to also provide guests with remote access to their own secure Wi-Fi networks, through a Wi-Fi over IP tunnel. In a corporate environment this functionality can be used e.g. to provide employees access to their own home Wi-Fi, easing the load on IT support for providing Internet access when employees bring their own devices into the workplace. When combined with the monetization and exchange platform it can also be used to let mobile operators offload data onto a corporate WLAN, using only spare radio spectrum and backhaul. In a residential setting the technology can be used to provide employees with remote access to the corporate WLAN network. A consumer Wi-Fi router can easily be configured to connect to a tunnel termination gateway installed in a corporate data center by simply associating them with the same Account. The result is a virtual Remote Access Point (vRAP), providing seamless and secure access to the corporate WLAN from the home.

An operator with the technology disclosed herein integrated in residential gateways could provide the same virtual Remote Access Point (vRAP) functionality as a service, by simply issuing a directed Sell Order through the REST Web Service Interface.

The invention has mainly been described above with reference to a few embodiments. However, as is readily appreciated by a person skilled in the art, other embodiments than the ones disclosed above are equally possible within the scope of the invention, as defined by the appended patent claims. 

1. A communication network (400) comprising a front-end network communication device (100 A, 200 A) arranged to operate as a front-end access point for establishing at least one data connection (430), such as an IEEE 802.11 data connection (430), between at least one mobile communications terminal (420) and at least one back-end network communication device (100B, 200A), wherein said front-end network communication device (100A) comprises a memory (240), a controller (210) and a data port and said back-end network communication device (100B) comprises a memory (240), a controller (210) and a data port wherein said front-end network communication device (100 A) has a primary purpose and said at least one data connections (430) is for a secondary purpose associated with said at least one back-end network communication devices (100B), wherein said primary purpose is to provide one or more primary users with data communication services, and at least one of said primary users is in physical control of said front-end network communications device (100A), and said front-end network communications device (100 A) is arranged with access to primary encryption keys necessary for communication with said one or more primary users, and wherein said secondary purpose is to provide one or more secondary users access to secondary service providers, and wherein said data connection (430) is established end-to-end by: said front-end network communications device (100 A) being configured to receive at least one 802.11 frame from said mobile communications terminal (420), said IEEE 802.11 frame comprising an information entity, and send a corresponding message to said back-end network communications device (100B), said message comprising said information entity, and/or receive at least one message from said back-end network communications device (100B), said message comprising an information entity, and send a corresponding 802.11 frame to said mobile communications terminal (420), said IEEE 802.11 comprising said information entity, said front-end network communications device (100 A) thereby being configured to act as a forwarding relay between said at least one mobile communications terminal (420) and said at least one back-end network communications device (100B) and wherein said back-end network communication device (100B) is configured for: sending and receiving messages comprising IEEE 802.11 authentication protocol data to and/or from said at least one mobile communications terminal (420); and authenticating said mobile communication terminal (420) and deriving secondary encryption keys based on said IEEE 802.11 authentication protocol data, wherein said back-end network communication device (100B) has access to said secondary encryption keys and said back-end network communication device (100B) is configured to keep said secondary encryption keys secret from the front-end network communications device (100A).
 2. The communication network (400) according to claim 1, further comprising network element, such as a tunnel termination gateway, wherein said network element is comprised in the data connection (430) and wherein said back-end network communication device (100B) is configured for sending said encryption keys to said network element wherein said network element is enabled to decrypt and encrypt messages sent over the data connection (430).
 3. The communication network (400) according to claim 2, wherein said network element is configured to keep said secondary encryption keys secret from the front-end network communications device (100A).
 4. The communication network (400) according to claim 1, wherein said front-end network communications device (100 A) is configured to operate as an access point (100A), and said primary purpose is to provide access to a local network, such as a local area network, and/or to the internet.
 5. The communication network (400) according to claim 1, wherein the front-end network communications device (100 A) is configured to operate as a residential gateway, and said primary purpose is to provide access to a residential network and/or to the internet data connection (430) is established end-to-end over both a wireless and a wired interface.
 6. The communication network (400) according to claim 1, wherein access to the secondary service provider is for access to a local area network.
 7. The communication network (400) according to claim 1, further comprising a master server configured to send an introduction message to the back-end network communications device (100B) to introduce the front-end network communications device (100 A) to said back-end network communications device (100B).
 8. The communication network (400) according to claim 1, wherein said front-end network communications device (100 A) is configured to prioritize primary users over at least one of said at least one mobile communications terminals (420).
 9. A method for use in a communication network (400) comprising a front-end network communication device (100 A, 200 A) arranged to operate as a front-end access point for establishing at least one data connection (430), such as an IEEE 802.11 data connection (430), between at least one mobile communications terminal (420) and at least one back-end network communication device (100B, 200A), wherein said front-end network communication device (100A) comprises a memory (240), a controller (210) and a data port and said back-end network communication device (100B) comprises a memory (240), a controller (210) and a data port wherein said front-end network communication device (100 A) has a primary purpose and said at least one data connections (430) is for a secondary purpose associated with said at least one back-end network communication devices (100B), wherein said primary purpose is to provide one or more primary users with data communication services, and at least one of said primary users is in physical control of said front-end network communications device (100A), and said front-end network communications device (100 A) is arranged with access to primary encryption keys necessary for communication with said one or more primary users, and wherein said secondary purpose is to provide one or more secondary users access to secondary service providers, and wherein said method comprises establishing said data connection (430) end-to-end by: in the front-end network communications device (100 A) receiving at least one 802.11 frame from said mobile communications terminal (420), said IEEE 802.11 frame comprising an information entity, and from the front-end network communications device (100 A) sending a corresponding message to said back-end network communications device (100B), said message comprising said information entity, and/or in the front-end network communications device (100 A) receiving at least one message from said back-end network communications device (100B), said message comprising an information entity, and from the front-end network communications device (100 A) send a corresponding 802.11 frame to said mobile communications terminal (420), said IEEE 802.11 comprising said information entity, said front-end network communications device (100 A) thereby being configured to act as a forwarding relay between said at least one mobile communications terminal (420) and said at least one back-end network communications device (100B) and wherein said method further comprising sending and receiving messages comprising IEEE 802.11 authentication protocol data between said back-end network communication device (100B) and said at least one mobile communications terminal (420); and authenticating said mobile communication terminal (420) and deriving secondary encryption keys based on said IEEE 802.11 authentication protocol data, wherein said back-end network communication device (100B) has access to said secondary encryption keys and said back-end network communication device (100B) is configured to keep said secondary encryption keys secret from the front-end network communications device (100A).
 10. A computer-readable storage medium encoded with instructions that, when executed on a processor, performs the method according to claim
 9. 11. A back-end network communication device (100B, 200 A) for use in a communication network (400) according to claim 1, wherein said back-end network communications device (100B) is configured to: receive message from said front-end network communications device (100 A), said message comprising at least one 802.11 frame from said mobile communications terminal (420), said IEEE 802.11 frame comprising an information entity, and/or send at least one message from said back-end network communications device (100B), said message comprising an information entity, to said front-end network communications device (100A), and sending and receiving messages comprising IEEE 802.11 authentication protocol data to and/or from said at least one mobile communications terminal (420); and authenticating said mobile communication terminal (420) and deriving secondary encryption keys based on said IEEE 802.11 authentication protocol data, wherein said back-end network communication device (100B) has access to said secondary encryption keys and said back-end network communication device (100B) is configured to keep said secondary encryption keys secret from the front-end network communications device (100A).
 12. A front-end network communication device (100A, 200A) for use in a communication network (400) according to claim 1, wherein said front-end network communication device (100 A) has a primary purpose and said at least one data connections (430) is for a secondary purpose associated with said at least one back-end network communication devices (100B), wherein said primary purpose is to provide one or more primary users with data communication services, and at least one of said primary users is in physical control of said front-end network communications device (100A), and said front-end network communications device (100 A) is arranged with access to primary encryption keys necessary for communication with said one or more primary users, and wherein said secondary purpose is to provide one or more secondary users access to secondary service providers, and wherein said data connection (430) is established end-to-end by: said front-end network communications device (100 A) being configured to receive at least one 802.11 frame from said mobile communications terminal (420), said IEEE 802.11 frame comprising an information entity, and send a corresponding message to said back-end network communications device (100B), said message comprising said information entity, and/or receive at least one message from said back-end network communications device (100B), said message comprising an information entity, and send a corresponding 802.11 frame to said mobile communications terminal (420), said IEEE 802.11 comprising said information entity, said front-end network communications device (100 A) thereby being configured to act as a forwarding relay between said at least one mobile communications terminal (420) and said at least one back-end network communications device (100B) and wherein said sending and receiving message and corresponding 802.11 frame comprising IEEE 802.11 authentication protocol data enabling the back-end network communications device (100B) to authenticate said mobile communication terminal (420) and derive secondary encryption keys based on said IEEE 802.11 authentication protocol data, wherein said front-end network communication device (100 A) is arranged to not have access to said secondary encryption keys.
 13. A computer-readable storage medium encoded with instructions that, when executed on a processor of a back-end network communications device (100B) causes the back-end network communications device (100B) to perform as the back-end network communications device according to claim
 11. 14. A computer-readable storage medium encoded with instructions that, when executed on a processor of a front-end network communications device (100 A) causes the front-end network communications device (100 A) to perform as the front-end network communications device according to claim
 12. 15. The communication network (400) according to claim 4, wherein access to the secondary service provider is for access to a local area network.
 16. The communication network (400) according to claim 5, wherein access to the secondary service provider is for access to a local area network. 